Nextcloud update aborted due to missing file permissions #15

New Issue

Closed

opened 2021-04-15 22:32:54 +03:00 by seedon · 6 comments

seedon commented 2021-04-15 22:32:54 +03:00

It has been observed that when a new update is available for the Nextcloud service it is unable to update due to missing write permissions the update process is aborted due to this reason.

Here is the output:

Check for expected files
Check for write permissions
The following places can not be written to:
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../AUTHORS
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../.htaccess
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../cron.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../index.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../console.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../.user.ini
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../remote.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../public.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../index.html
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../occ
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../robots.txt
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../status.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../version.php
/nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../COPYING

It has been observed that when a new update is available for the Nextcloud service it is unable to update due to missing write permissions the update process is aborted due to this reason. Here is the output: Check for expected files Check for write permissions The following places can not be written to: /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../AUTHORS /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../.htaccess /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../cron.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../index.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../console.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../.user.ini /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../remote.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../public.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../index.html /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../occ /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../robots.txt /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../status.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../version.php /nix/store/abr6kzqh57fjq2fdx5h40v5spddkjq3m-nextcloud-20.0.7/updater/../COPYING

seedon changed title from Missing file permissions in updater module of Nextcloud Instance to Nextcloud update aborted due to missing file permissions 2021-04-15 22:33:31 +03:00

Ghost added the

No resolution

label 2021-04-15 23:24:49 +03:00

Ghost commented 2021-04-15 23:24:52 +03:00

Dear Seedon,

Thanks for contacting SelfPrivacy support,

Please be informed that NextCloud receives updates using operating system packages and it can't be updated via web interface. It usually takes a day or two to obtain an update. Operating system self-maintains installed packages(takes care about them being up to date and running), so you will automatically receive all necessary updates, including those, NextCloud offers you to install.

The inability of NextCloud to install updates, caused by major tunings that we made to the Linux distro we use. It uses atomic upgrades model. It means that major part of filesystem is read-only and can be modified only using package manager(and user that package manager being run from). Services, like NextCloud, run in the isolated environments to prevent hackers from accessing your data, in case if server is hacked. The side effect of such security measures is that services can't modify existing /usr, /opt and some other filesystems. That is being done using package manager. That's why we bundle NextCloud updates as regular OS packages.

I hope that clarifies the situation.

--
Best Regards

Dear Seedon, Thanks for contacting SelfPrivacy support, Please be informed that NextCloud receives updates using operating system packages and it can't be updated via web interface. It usually takes a day or two to obtain an update. Operating system self-maintains installed packages(takes care about them being up to date and running), so you will automatically receive all necessary updates, including those, NextCloud offers you to install. The inability of NextCloud to install updates, caused by major tunings that we made to the Linux distro we use. It uses atomic upgrades model. It means that major part of filesystem is read-only and can be modified only using package manager(and user that package manager being run from). Services, like NextCloud, run in the isolated environments to prevent hackers from accessing your data, in case if server is hacked. The side effect of such security measures is that services can't modify existing /usr, /opt and some other filesystems. That is being done using package manager. That's why we bundle NextCloud updates as regular OS packages. I hope that clarifies the situation. -- Best Regards

seedon commented 2021-04-15 23:46:18 +03:00

Poster

That makes perfect sense.

I have a follow-up question, so if you have heavily modified the OS will it be a good idea to login to the VPS using ssh and do any modifications like say for example I own abc.com and I want to host a simple portfolio website at www.abc.com using the same VPS. What if I setup another nginx server for this job using ssh. Are there any chances that it might break in the future due to this reason Or is it a good idea to just completely avoid it.

That makes perfect sense. I have a follow-up question, so if you have heavily modified the OS will it be a good idea to login to the VPS using ssh and do any modifications like say for example I own abc.com and I want to host a simple portfolio website at www.abc.com using the same VPS. What if I setup another nginx server for this job using ssh. Are there any chances that it might break in the future due to this reason Or is it a good idea to just completely avoid it.

Ghost commented 2021-04-15 23:59:45 +03:00

Thanks for your question.

Frankly speaking, we still have a discussion inside our organization, how to approach server control.

Our mission is to provide user with end-to-end control over the server using our mobile application. In the most ideal scenario, it would allow you to host some sort of a static webpage on the unocuppied root domain.

The discussion I mentioned is about SSH key inclusion during server setup. On the one hand, it would allow user to tweak it's server in a very flexible approach, but on the other, user risks to make some configuration changes that will break communication between server and application, so we still do not have exact answer on the question: "How to do better?"

I'm the supporter of an idea to provide an option for the user, to include SSH key(allowing remote access by this action), or not. Other members of our team prefer to avoid such approach completely as an additional security measure.

Regarding the ability to host static webpage(or a web application) on the server, if you want, we can create feature request for such functionality and consider adding such possibility in the one of a future releases.

I hope that answers your question.
Feel free to contact back.

--
Best Regards

Thanks for your question. Frankly speaking, we still have a discussion inside our organization, how to approach server control. Our mission is to provide user with end-to-end control over the server using our mobile application. In the most ideal scenario, it would allow you to host some sort of a static webpage on the unocuppied root domain. The discussion I mentioned is about SSH key inclusion during server setup. On the one hand, it would allow user to tweak it's server in a very flexible approach, but on the other, user risks to make some configuration changes that will break communication between server and application, so we still do not have exact answer on the question: "How to do better?" I'm the supporter of an idea to provide an option for the user, to include SSH key(allowing remote access by this action), or not. Other members of our team prefer to avoid such approach completely as an additional security measure. Regarding the ability to host static webpage(or a web application) on the server, if you want, we can create feature request for such functionality and consider adding such possibility in the one of a future releases. I hope that answers your question. Feel free to contact back. -- Best Regards

👍 2

seedon commented 2021-04-16 07:52:19 +03:00

Poster

Well i understand the concerns, after all the measure taken on securing the system, providing access to the user would be like throwing security right out of the window.

I believe it must be a balance on how much access the user gets, what I mean to say is. Most users just want a portfolio site or some sort of static website. Something like github pages. The user hosts static files on one of his gitea repos and it reflects on the root domain.

This way the user has control over what he wants to display but that's where it ends. Security stays intact while providing the user with some freedom.

This is just my opinion, i have no idea on how difficult it might be to implement this, or if it is even possible based on the current architecture.

What do you think?

Well i understand the concerns, after all the measure taken on securing the system, providing access to the user would be like throwing security right out of the window. I believe it must be a balance on how much access the user gets, what I mean to say is. Most users just want a portfolio site or some sort of static website. Something like github pages. The user hosts static files on one of his gitea repos and it reflects on the root domain. This way the user has control over what he wants to display but that's where it ends. Security stays intact while providing the user with some freedom. This is just my opinion, i have no idea on how difficult it might be to implement this, or if it is even possible based on the current architecture. What do you think?

Ghost commented 2021-04-16 13:27:57 +03:00

I discussed this with my management today. We decided to expose /var/www/yourdomain.com directory to the application, so user would be able to upload static webpage directly into it. That's the way you would be able to host a webpage.

Regarding remote access, we decided, until our project remains in alpha state, SSH access will be allowed using the passowrd, defined during initial setup. That may be necessary for debugging purposes.

I hope that answers your question.

--
Best Regards

I discussed this with my management today. We decided to expose /var/www/yourdomain.com directory to the application, so user would be able to upload static webpage directly into it. That's the way you would be able to host a webpage. Regarding remote access, we decided, until our project remains in alpha state, SSH access will be allowed using the passowrd, defined during initial setup. That may be necessary for debugging purposes. I hope that answers your question. -- Best Regards

🎉 1

seedon commented 2021-04-16 13:43:18 +03:00

Poster

@ilchub

I discussed this with my management today. We decided to expose /var/www/yourdomain.com directory to the application, so user would be able to upload static webpage directly into it. That's the way you would be able to host a webpage.

Regarding remote access, we decided, until our project remains in alpha state, SSH access will be allowed using the passowrd, defined during initial setup. That may be necessary for debugging purposes.

I hope that answers your question.

--
Best Regards

Yes it does. I appreciate it, thank you. 🙏

@ilchub >I discussed this with my management today. We decided to expose /var/www/yourdomain.com directory to the application, so user would be able to upload static webpage directly into it. That's the way you would be able to host a webpage. > >Regarding remote access, we decided, until our project remains in alpha state, SSH access will be allowed using the passowrd, defined during initial setup. That may be necessary for debugging purposes. > >I hope that answers your question. > >-- >Best Regards Yes it does. I appreciate it, thank you. 🙏

Ghost closed this issue 2021-05-03 11:21:11 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

translations

master

inex/april-refactor

def/feat_copy_onSecondaryTap_about_page

add_complated_state_for_jobs_widget

add_load_animation_to_providers

add_loading_caption_to_providers

backblaze-refactor

update_description

dto

restore-strategy

backups-testing

def/md_edit

routes-refactor

error-handling

v.0.6.0-semver

cicd

fdroid

0.11.0

0.10.1

0.10.0

0.9.1

0.9.0

0.8.0

0.7.0

0.7.0-test

0.6.0-test

0.6.0

v.0.6.0

v.0.5.3

v.0.5.2

v0.5.2

v.0.5.1

v.0.5.0

v.0.4.2

v.0.4.0

v.0.3.0

v.0.2.4

v.0.1.3

v.0.1.2

v.0.1.1

v.0.1.0

Labels

Clear labels   

Blocked

Issue that can't be resolved right now due to some circumstances   

Bug

Discovered issue that affects regular operation   

Contributions welcome

  

Did not do

Issue is not queued for resolution due to low priority or introduced difficulties during the resolution   

Errata

Known issue with available workaround   

Feature request

Functionality/usability enchansement   

Fixed

Issue resolved in one of the application/backend releases   

How To

Question, regarding product operation   

Invalid

  

Needs design

A sketch or detailed description of the feature look is wanted   

No resolution

Issue is not queued for resolution due to architecture pecularities

  

Priority

Critical

  

Priority

High

  

Priority

Low

  

Priority

Medium

  

Providers

Digital Ocean

Issues related to Digital Ocean REST API   

Providers

Hetzner

Issues related to Hetzner REST API

  

Refactor

  

Severity

High

  

Severity

Low

  

Severity

Medium

  

Source

Community

Feature requests and bugs reported on our support chats   

Source

Core Team

  

Source

Stakeholders

Kirill, NLnet, and others

  

Translations

  

Under investigation

Issue details are currently being investigated

No Label

Blocked

Bug

Contributions welcome

Did not do

Errata

Feature request

Fixed

How To

Invalid

Needs design

No resolution

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Providers

Digital Ocean

Providers

Hetzner

Refactor

Severity

High

Severity

Low

Severity

Medium

Source

Community

Source

Core Team

Source

Stakeholders

Translations

Under investigation

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: SelfPrivacy/selfprivacy.org.app#15

There is no content yet.